The Difference Between IT Cybersecurity and Product Cybersecurity

IT cybersecurity and medical product cybersecurity have different priorities. Here's how to ensure your IT team has the tools it needs.

Stephanie Domas

Manufacturers are at various levels of preparedness when it comes to cybersecurity for medical devices, but are sincerely trying to get up to speed. The latest thinking in this space--by regulators, manufacturers, and solution providers--revolves around the difference between IT cybersecurity on the corporate/enterprise level and product cybersecurity

While IT security is traditionally focused on compliance and securing enterprise systems such as laptops and servers, medical product cybersecurity is focused on risk management, hardware and software development.

Why does that matter? Well, compliance means meeting a minimum bar that is required by a particular standard. In medical products there are no standards, it's all about risk management. By following a risk management process, it allows manufacturers to iterate over risks, prioritize, and decide on mitigations that best suit their level of acceptable risk.

Due to this difference in approaches and knowledge many manufacturers are experiencing growing pains in partnering with their IT departments to address medical product security.

But hope is not lost! Taking the time to educate your IT teams on risk management can go a long way to building that relationship. With that said, manufacturers also need to realize IT likely doesn't possess enough development background to be your full security solutions.

[Read more on "How Medtech Cyber Attacks Are Evolving."]

The best cybersecurity teams are cross functional, you need the voice of someone who knows how to secure networked enterprise environments just as much as you need someone who knows how to secure your bootloader. So partner with your IT teams as a part of your product security approach.

One of the biggest things to keep in mind is not new, but is worth repeating. As Rob Suarez of Becton Dickinson reminded us, vulnerabilities are inevitable and the time to plan for the worst is before it happens. Manufacturers need to develop an incident response team made up of all the stakeholders, including R&D, cyber experts, legal, marketing, and regulatory.

Take the time to put processes in place so when an incident does occur, you're not left scrambling.

Stephanie Domas is lead medical device security engineer at Battelle.

[Image courtesy of SIRA ANAMWONG/FREEDIGITALPHOTOS.NET]